diff --git a/helios/tests.py b/helios/tests.py
index d742458f86856df9818fdc6827b7ed08c7c2a119..a563ef7d5dc2cfd9d56a556bb1f90dde2560076e 100644
--- a/helios/tests.py
+++ b/helios/tests.py
@@ -483,6 +483,10 @@ class ElectionBlackboxTests(TestCase):
self.assertContains(response, ballot.hash)
self.assertContains(response, html_escape(encrypted_vote))
+ # if we request the redirect to cast_done, the voter should be logged out, but not the user
+ response = self.client.get("/helios/elections/%s/cast_done" % election_id)
+ assert not self.client.session.has_key('CURRENT_VOTER')
+
# encrypted tally
response = self.client.post("/helios/elections/%s/compute_tally" % election_id, {
"csrf_token" : self.client.session['csrf_token']
diff --git a/helios/views.py b/helios/views.py
index 38d533abe3f1962fd03ee2522135f83dc598b162..20e2181dab92a69e33175651bed3c5e290c2bed1 100644
--- a/helios/views.py
+++ b/helios/views.py
@@ -649,7 +649,13 @@ def one_election_cast_done(request, election):
votes = CastVote.get_by_voter(voter)
vote_hash = votes[0].vote_hash
- logout = settings.LOGOUT_ON_CONFIRMATION
+ # only log out if the setting says so *and* we're dealing
+ # with a site-wide voter. Definitely remove current_voter
+ if voter.user == user:
+ logout = settings.LOGOUT_ON_CONFIRMATION
+ else:
+ logout = False
+ del request.session['CURRENT_VOTER']
save_in_session_across_logouts(request, 'last_vote_hash', vote_hash)
else:
@@ -664,7 +670,8 @@ def one_election_cast_done(request, election):
# auth_views.do_local_logout(request)
# remote logout is happening asynchronously in an iframe to be modular given the logout mechanism
- return render_template(request, 'cast_done', {'election': election, 'vote_hash': vote_hash, 'logout': logout}, include_user=False)
+ # include_user is set to False if logout is happening
+ return render_template(request, 'cast_done', {'election': election, 'vote_hash': vote_hash, 'logout': logout}, include_user=(not logout))
@election_view()
@json